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WHAT IS CLAIMED IS: 



1 Claim 1 : A method for network defense, comprising the steps of: 

2 detecting mission events by processing communications packets and traffic streams ; 

3 forming mission tracks by processing said mission events; 

4 estimating mission sensitivities by processing said mission tracks; 

5 prioritizing network operations by processing said mission sensitivities; and 

6 correlating network alarms to missions by processing said mission sensitivities, 

7 wherein said steps include a database of dynamic and a priori information. 

1 Claim 2. The method of claim 1 wherein the step of detecting mission events by 

2 processing communications packets comprises of: 

3 receiving said communications packets; 

4 extracting said communicated information from said communication packets and 

5 traffic streams; 

6 creating homogenous information packages, from said communicated 

7 information; 

8 detecting mission events by processing said homogeneous information package; 

1 Claim 3. The method of claim 1, wherein the step of forming mission tracks by 

2 processing said mission events comprises: 

3 determining active mission types, using said mission events; 

4 determining state of each mission, using said mission events, including producing 

5 a mission state vector for each mission; 

1 Claim 4. The method of claim 1, wherein the step of estimating mission 

2 sensitivities by processing said mission tracks comprises estimating mission sensitivity to 

3 network perturbations, using mission tracks. 

1 Claim 5. The method of claim 1 , wherein prioritizing network operations by 

2 processing said mission sensitivities comprises ordering said list of network operations 
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3 by comparing said mission sensitivities. 

1 Claim 6. The method of claim 1, wherein the step of correlating network alarms 

2 to missions by processing said mission sensitivities comprises creating a list of 

3 relationships between each network alarm and each mission using said mission sensitivity 

4 values. 

1 Claim 7. The method of claim 4, wherein network perturbations comprise 

2 modifications to network devices, protocols, policies, or architecture through network 

3 management courses of actions. 

1 Claim 8. The method of claim 4, wherein network perturbations comprise 

2 modifications to network devices, protocols, policies, or architecture through attacks on 

3 network devices, protocols, policies, or architecture. 

1 Claim 9. The method of claim 1 , wherein said database of dynamic and a priori 

2 information comprises: 

3 providing a database of performance statistics and observation logs from earlier 

4 missions; 

5 providing a set of prespecified mission types; 

6 for each mission type, providing a set of prespecified mission states; 

7 for each mission type, providing a set of prespecified mission events; 

8 providing a set of prespecified network perturbations; 

9 providing a set of weighted mappings from network components to mission 

10 states; 

1 1 providing a set of weighted mappings from network components to mission 

12 events; 

13 providing a set of mappings from network perturbations to network components; 

14 providing a set of prespecified network alarms; 
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15 providing a rule base for updating, adapting, and modifying mission types, 

16 mission states, mission events, network perturbations, network alarms, and mappings 

1 7 using said performance statistics and observation logs. 

1 Claim 10. The method of claim 2, wherein said communicated information 

2 comprises packet source information, destination addresses and port information. 

1 Claim 11. The method of claim 2, wherein the step of extracting said 

2 communicated information comprises scanning said communicated packets as an 

3 unstructured data stream. 

1 Claim 12. The method of claim 2, wherein the step of extracting said 

2 communicated information comprises comparing traffic sream characteristics to known 

3 usage patterns. 

1 Claim 13. The method of claim 3, wherein the active mission types are 

2 determined through the use of a HMM. 

1 Claim 14. The method of claim 3, wherein the state of each mission is 

2 determined through the use of a HMM. 

1 Claim 15. The method of claim 13, wherein mission HMM component 

2 determination comprises combining performance statistics from earlier missions with an 

3 Operational Sequence Diagram. 

1 Claim 16. The method of claim 14, wherein mission HMM component 

2 determination comprises combining performance statistics from earlier missions with an 

3 Operational Sequence Diagram. 

1 Claim 17. The method of claim 3, wherein the step of determining said active 

2 mission types is performed inductively. 
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1 Claim 18. The method of claim 17, wherein the step of determining said active 

2 mission types inductively, is through the use of the forward algorithm. 

1 Claim 19. The method of claim 4, further comprising the steps of: 

2 using a system dynamics model and a set of network perturbations to produce a 

3 nominal version of the mission state at k+1 and a perturbed version of the mission state at 

4 k+1; 

5 propiagating out the nominal version of the mission state at k+1 and the perturbed 

6 version of the mission state at k+1 , to a computation horizon; and 

7 computing the difference between the overall mission effectiveness along the 

8 nominal version of the mission state and the perturbed version of the mission state. • 

1 Claim 20. The method of claim 4, wherein the step of estimating mission 

2 sensitivity to network perturbations comprises using a closed-form expression to compute 

3 mission sensitivities. 

1 Claim 21 . The method of claim 19, wherein said set of network perturbations 

2 comprises a set of alternative network operation COAs. 

1 Claim 22. The method of claim 19, wherein said set of network perturbations 

2 comprises a set of attacks on network devices, protocols, policies, and architecture. 

1 Claim 23. The method of claim 20, wherein said set of network perturbations 

2 comprises a set of alternative network operation COAs. 

1 Claim 24. The method of claim 20, wherein said set of network perturbations 

2 comprises a set of attacks on network devices, protocols, policies, and architecture. 

1 Claim 25. The method of claim 5, wherein network operations comprise 

2 modifications to network devices, protocols, policies, or architecture through network 

3 ' management courses of actions. 
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1 Claim 26. The method of claim 5, wherein network operations comprise 

2 modifications to network devices, protocols, policies, or architecture through attacks on 

3 network devices, protocols, policies, or architecture. 

1 Claim 27. The method of claim 6, wherein the list of relationships between each 

2 network alarm and each mission is constrained by numerical thresholds on said mission 

3 sensitivities. 

1 Claim 28. The method of claim 6, wherein network alarms comprise messages 

2 indicating failures in network devices, protocols, policies, or architecture. 

1 Claim 29. The method of claim 6, wherein network alarms comprise messages 

2 indicating detection of network intrusions. 

1 Claim 30. The method of claim 19, wherein said system dynamics model is a 

2 HMM. 

1 Claim 3 1 . The method of claim 2 1 , wherein said system dynamics model is a 

2 HMM. 

1 Claim 32. The method of claim 22, wherein said system dynamics model is a 

2 HMM. 
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